Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
21222324252627282930
Solaris 9 Security CX-310-301 27
*.err;kern.notice;auth.notice /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.alert;kern.err;daemon.err operator
*.alert root
*.emerg *
# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice ifdef(`LOGHOST', /var/log/authlog,
@loghost)
mail.debug ifdef(`LOGHOST', /var/log/syslog,
@loghost)
#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err /dev/sysmsg
user.err /var/adm/messages
user.alert `root, operator'
user.emerg *
)
Note the following about the output above:
¾ Multiple facilities and priorities can be assigned to a single entry
¾ The action column on the right hand side can be to write to a file, a device, or to send email to
specified users
¾ Conditions can also be applied to entries, for example, only if LOGHOST is defined (a loghost
entry is present in the /etc/inet/hosts file)
¾ The last six lines define actions to take if LOGHOST is not defined, so that messages are still
written locally if this situation is encountered
¾ By default, the auth.notice entry is commented out. It is a good idea to log all authorization
messages to the file /var/log/authlog, because it makes it easier to spot important login failure
messages
Configuring syslog to Log Centrally
A professional attacker will try to cover his/her tracks by modifying the system logs so that there is no
evidence that an attack even took place. This is done quite easily if the attacker has gained privileged